An Audit Method of Personal Data Based on Requirements Engineering

Security analysis of computer systems studies the vulnerabilities that affect an organization from various points of view. In recent years, a growing interest in guaranteeing that the organization makes a suitable use of personal data has been identified. Furthermore, the privacy of personal data is regulated by the Law and is considered important in a number of Quality Standards. This paper presents a practical proposal to make a systematic audit of personal data protection within the framework of CobiT audit based on SIREN. SIREN is a method of Requirements Engineering based on standards of this discipline and requirements reuse. The requirements predefined in the SIREN catalog of Personal Data Protection (PDP), along with a method of data protection audit, based on the use of this catalog, can provide organizations with a guarantee of ensuring the privacy and the good use of personal data. The audit method proposed in this paper has been validated following the Action Research method, in a case study of a medical center, which has a high level of protection in the personal data that it handles.

[1]  Thomas Wetter,et al.  Data security and protection in cross-institutional electronic patient records , 2003, Int. J. Medical Informatics.

[2]  Mario Piattini,et al.  Legal requirements reuse: a critical success factor for requirements quality and personal data protection , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[3]  Lawrence Chung,et al.  Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.

[4]  Robin Dowie,et al.  Clinical audit in NHS acute and community trusts: a comparative analysis , 2001 .

[5]  Thomas C. Rindfleisch,et al.  Privacy, information technology, and health care , 1997, CACM.

[6]  Rhidian Hughes,et al.  Is audit research? The relationships between clinical audit and social-research. , 2005, International journal of health care quality assurance incorporating Leadership in health services.

[7]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[8]  Pierangela Samarati,et al.  Authentication, access control, and audit , 1996, CSUR.

[9]  Sean W. Smith,et al.  Grand challenges in information security: process and output , 2004, IEEE Security & Privacy Magazine.

[10]  Simon de Lusignan,et al.  The roles of policy and professionalism in the protection of processed clinical data: A literature review , 2007, Int. J. Medical Informatics.

[11]  Marco Gruteser,et al.  Data Protection and Data Sharing in Telematics , 2004, Mob. Networks Appl..

[12]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[13]  Simon Shiu,et al.  Enabling shared audit data , 2004, International Journal of Information Security.

[14]  Fabio Massacci,et al.  Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation , 2005, Comput. Stand. Interfaces.

[15]  Trevor Wood-Harper,et al.  A critical perspective on action research as a method for information systems research , 1996, J. Inf. Technol..

[16]  Richard Baskerville,et al.  Investigating Information Systems with Action Research , 1999, Commun. Assoc. Inf. Syst..